1. Field of the Invention
This invention relates to a technique and methods for authenticating a user""s access rights to digital data, services, and the like, by applying encryption and decryption.
2. Discussion of the Related Art
Methods with which to authenticate users"" access rights can be largely divided into two types.
In the first type, an access right verifier possesses a list of users having an access right to an object(referred to as an access control list from hereinafter), The verifier, upon a user""s request for access, examines if the user is included in the list, and determines his accessibility.
In the second type, a user possesses a data, or a xe2x80x9ccapabilityxe2x80x9d that shows his access right to an object. When requesting for access, a user proves to an access right verifier that he holds a capability. The verifier determines the user""s accessibility by examining whether or not the possession of the capability has been correctly proven.
There is a critical problem to the first type when the object to be accessed is such digital contents as digital data or an application program operated on a computer or the like.
Digital contents can easily be copied. Even when an access right to the original content can be authenticated, it is not possible to authenticate the access right to a copied digital content.
In order to solve this problem, it is possible to make the digital content, the access right verifier and the access control list inseparable so that the access right verifier and the access control list are copied when the digital content itself is copied. However, when an access control list to a content needs to be changed, it is almost impossible to change the access control lists of every copy of the content that have been distributed until then.
Using capabilities is a more appropriate and effective way for authentication of users"" access rights to digital contents, but there is a problem with this method as well.
A capability is data representing a user""s access right that can be copied. When a user, possessing a capability to a digital content makes a copy of his capability and provides it to a third person without a legitimate access right, it becomes possible for the third person to access to the content.
An apparatus for controlling access to digital data suggested in the Japanese Laid-Open Patent No.10-247905 by some of the inventors of the present invention aims to solve this problem. The apparatus consists of a proving apparatus to prove possession of a user""s access right to a digital content and a verification apparatus to verify the result of the proving apparatus.
The proving apparatus possesses user identifying information which is not revealed, to the user. The capability to a digital content is masked using the user identifying information and handed out to each user as an xe2x80x9caccess ticketxe2x80x9d.
The proving apparatus proves the capability of a user using the access ticket and the user identifying information. Access tickets are masked using a value unique to each user so that it is not possible for a third person to prove his capability with a copied access ticket.
The method as suggested in Japanese Laid-Open Patent No.10-247905 is a method that distributes capabilities to users while preventing illegal access by users"" copying of capabilities.
The verification apparatus of this method possesses an encrypted digital content and an encrypted key K*(=KE mod n), which is obtained by encrypting the decryption key K of the digital content with an RSA(Rivest-Shamir-Adleman) modulo n and an encryption key E. The proving apparatus possesses such tamper-resistant hardware as an IC card that can perform modular exponentiation and calculate one-way Hash function f(x;y). User identifying information e is stored in the IC card.
A decryption key D correspondent to the RSA modulo n and the encryption key E represent a capability for access to a digital content.
An access ticket t is data with a value as shown in the following equation (1).
xe2x80x83t=Dxe2x88x92f(e;n)xe2x80x83xe2x80x83(1)
The possession of a capability is proven if the proving apparatus can decrypt K* correctly and the verification apparatus can obtain the decryption key K of the digital content.
(1)The verification apparatus generates a random number r.
(2)The verification apparatus calculates C=rEK* mod n and sends n and C to the proving apparatus.
(3)The proving apparatus calculates R1=Cf(e;n) mod n inside the IC card.
(4)The proving apparatus calculates R2=Ct mod n.
(5)The proving apparatus calculates R=R1R2 mod n and sends the result to the verification apparatus.
(6)The verification apparatus calculates rxe2x88x921 that satisfies the equation, rxe2x88x921rxe2x89xa11 mod n, then calculates Kxe2x80x2=rxe2x88x921R mod n.
If the above process is performed correctly, then the possession of the capability is proven since as shown in the following equation (2), Kxe2x89xa1Kxe2x80x2 mod n is obtained.                                                                         K                xe2x80x2                            ≡                              xe2x80x83                            ⁢                                                r                                      -                    1                                                  ⁢                R                                                                                        ≡                              xe2x80x83                            ⁢                                                r                                      -                    1                                                  ⁢                                  R                  1                                ⁢                                  R                  2                                                                                                        ≡                              xe2x80x83                            ⁢                                                r                                      -                    1                                                  ⁢                                  C                                      f                    ⁡                                          (                                              e                        ;                        n                                            )                                                                      ⁢                                  C                  t                                                                                                        ≡                              xe2x80x83                            ⁢                                                r                                      -                    1                                                  ⁢                                  C                                                            f                      ⁡                                              (                                                  e                          ;                          n                                                )                                                              +                    t                                                                                                                          ≡                              xe2x80x83                            ⁢                                                r                                      -                    1                                                  ⁢                                  C                  D                                                                                                        ≡                              xe2x80x83                            ⁢                                                                    r                                          -                      1                                                        ⁡                                      (                                                                  r                        E                                            ⁢                                              K                        *                                                              )                                                  D                                                                                        ≡                              xe2x80x83                            ⁢                                                                    r                                          -                      1                                                        ⁡                                      (                                                                  r                        E                                            ⁢                                              K                        E                                                              )                                                  D                                                                                        ≡                              xe2x80x83                            ⁢                                                r                                      -                    1                                                  ⁢                rK                                                                                        ≡                              xe2x80x83                            ⁢                              K                ⁢                                  xe2x80x83                                ⁢                mod                ⁢                                  xe2x80x83                                ⁢                n                                                                        (        2        )            
With this method, if each user holds an IC card containing user identifying information e, then the access ticket necessary for access to a digital content will be different for each user. The possession of a capability cannot be proven using an access ticket of another user.
The problem with the above method is, however, that there is only a limited degree of flexibility when distributing capabilities.
Capability is represented here as a RSA decryption key D. The capability shows the possession of an access right to a digital content the RSA public key of which was used in calculating K* corresponds to D. Thus, it is required that the digital contents accessible with capability D1 and the digital contents accessible with capability D2 do not overlap. With capabilities having such a restriction, it is very difficult to distribute capabilities when the boundaries of the scope of digital contents accessible by each user are entangled in a complex manner.
For example, when:
(1) Set SA of digital contents accessible by user A is a subset of set SB of digital contents accessible by user B; or
(2) Set SA of digital contents accessible by user A and set SB of digital contents accessible by user B do not coincide but have an intersection which is not empty.
With the method as suggested above, it is not possible to express the access rights of user A with a single capability DA or the access rights of user B with a single capability DB. Instead, in example (1), capabilities need to be distributed in the following manner:
(1) A capability D1 representing the access rights to SA; and
(2) A capability D2 representing the access rights to SBxe2x88x92SA.
User A holds an access ticket of capability D1 and user B holds access tickets for both capabilities D1 and D2.
In example (2), the following three kinds of capabilities need to be distributed:
(1) A capability D1 showing the access rights to SA∩SB;
(2) A capability D2 showing the access rights to SAxe2x88x92SB; and
(3) A capability D3 showing the access rights to SBxe2x88x92SA.
User A holds access tickets for capabilities D1 and D2 and user B holds access tickets for capabilities D1 and D3.
When such a complicated relationship exists among a large number of users, one capability needs to be distributed for one digital content, with each user holding the same number of access tickets as the number of digital contents to which, he has rights to access. As the number of digital contents increases, the administration cost of the distributors of capabilities and the cost of managing access tickets become huge.
When controlling access rights to documents in an office, for example, where hundreds of thousands of digital contents need to be managed, the number of digital contents a single person can access to is perhaps more than ten thousand. It is highly difficult for the distributor of capabilities to manage all of the capabilities and for the users to manage all of his access tickets.
In response to the above described need, the present invention provides an apparatus and methods to render management of access tickets easier when distributing capabilities using access tickets.
The present invention includes an apparatus for user authentication that verifies the legitimacy of a proof data generated to prove a right of a user.
A first storage unit stores a challenge data and a second storage unit stores a control information. A third storage unit stores an authentication support information that is generated according to a predetermined relationship between an authentication characteristic information and the control information. A forth storage unit stores a required security information.
A required security information inspection unit inspects whether or not the required security information and the control information satisfy a predetermined relationship. A response data generation unit generates the response data according to an inspection result of the required security information inspection unit using the challenge data, the control information, the required security information and the authentication support information. A verification unit determines whether or not the response data is generated based on the authentication characteristic information.
The response data generation unit generates a legitimate response data only when all of the challenge data, the control information, the required security information and the authentication support information are legitimate.
Unlike the method suggested in the prior art, this invention does not use only authentication characteristic information as capability. According to this invention, the control information includes information that defines the extent of the capability a user possesses, and a required security information includes information that defines the capability needed for access to a content. This way, the scope of the capability of a user can be set flexibly and the possession of capability can be examined by the required security information inspection unit.
Moreover, a user cannot replace the control information or the required security information with illegitimate data because then, a correct response data is not generated.
In another embodiment according to the present invention, the user authentication apparatus verifies the legitimacy of a proof data generated prove a right of a user with the following method.
A first storage unit stores a challenge data and a second storage unit stores a control information. A third storage unit stores an authentication support information that is generated according to a predetermined relationship between an authentication characteristic information and the control information. A forth storage unit stores a required security information. A fifth storage unit stores an inspection information of the required security information.
A first required security information inspection unit inspects whether or not an output data generated according to a predetermined relationship between the challenge data and the required security information satisfies a predetermined relation with the inspection information stored in the fifth storage unit. A second required security information inspection unit inspects whether or not the control information and the required security information satisfy a predetermined relationship. A response data generation unit generates the response data according to respective inspection results of the first and second required security information inspection units using at least the challenge data, the control information, the required security information and the authentication support information. A verification unit performs an operation dependent upon whether or not the response data generated by the response data generation unit is generated based ion the authentication characteristic information.
The response data generation unit generates a legitimate response data only when all of the challenge data, the control information, the required security information and the authentication support information are legitimate.
Here again, the user authentication apparatus does not use only authentication characteristic information as capability, unlike the method suggested in the prior art. The control information includes information that defines the extent of the:capability a user possesses, and a required security information includes information that defines the capability needed for access to a content. This way, the scope of the capability of a user can be set flexibly and the possession of capability can be examined by the required security information inspection unit.
The legitimacy of the required security information is examined in the first required security information inspection unit and a correct response data is not generated unless the required security information is correct. Therefore, a user cannot replace the control data or the required security data with illegitimate data.
The present invention may also be realized as a user authentication method or a computer program product.
Furthermore, a user authentication program product executed on a computer, or the like may be realized as a storage medium readable by a computer storing the computer program. The storage medium transforms energy conditions of magnetism, optics, electricity or the like in accordance with the contents of the program, and sends correspondent signals to a reader equipped to hardware resources of the computer. The storage medium may be, for example, a magnetic disk, optical disk, CD-ROM or an internal memory of the computer. The computer, in this case, has an apparatus that can read the storage medium and execute processes according to the program.